Bitblaze環境搭建之TEMU/Tracecap的編譯和安裝

編譯和安裝

按照官方手冊和谷歌論壇上給出的補丁，分別在32和64位的ubuntu 12.04 LTS環境下完成了對TEMU的編譯，以下是編譯步驟：

# Things that require root access are preceded with "sudo".

# This script will build TEMU in a "$HOME/bitblaze" directory,
# assuming that temu-1.0.tar.gz is in /tmp.
cd ~
mkdir bitblaze
cd bitblaze

# TEMU is based on QEMU. It's useful to have a vanilla QEMU for testing
# and image development:
sudo apt-get install qemu
# Stuff needed to compile QEMU/TEMU:
sudo apt-get build-dep qemu

# The KQEMU accelerator is not required for TEMU to work, but it can
# be useful to run VMs faster when you aren't taking traces.
# 
# The following commands would build a kqemu module compatible with
# your system QEMU, but in Ubuntu 9.04 that would be too new to work
# with TEMU.
# sudo apt-get install kqemu-common kqemu-source
# sudo apt-get install module-assistant
# sudo module-assistant -t auto-install kqemu


# For the BFD library:
sudo apt-get install binutils-dev

wget http://bitblaze.cs.berkeley.edu/release/temu-1.0/temu-1.0.tar.gz 
tar xvzf temu-1.0.tar.gz 
cd temu-1.0 
patch -p0 <../temu-release2009-gcc4.patch 
./configure --target-list=i386-softmmu --proj-name=sample_plugin --prefix=$(pwd)/install --disable-gcc-check 
make 

make install 

/*********************************************************************************************************

在make install這一步會報以下錯誤：
error("make[1]: no rule to make target install; make *** [install] 
error 2 "). 

這主要是因爲在makefile文件中沒有install相應的操作，這一錯誤可以忽略，或者添加空的install語句（即不做任何操作）

This "error" can be safely ignored: it just results because there's no 
"install" target in the Tracecap Makefile. Note it's our suggestion to 
just run TEMU from the build directory in any case. 

If the presence of the error still bothers you, you can make it go 
away by adding an empty "install" target to the Makefile, as in the 
appended patch. 

在makefile文件中添加install空操作：

/****************************************************************************************************************

--- tracecap/Makefile.orig        2013-03-27 09:34:51.810366503 -0500 
+++ tracecap/Makefile        2013-03-27 09:35:30.863017131 -0500 

 clean: 
         rm -f *.o  *.so *.a *~ $(PLUGIN) ../shared/*.o ../shared/hooks/*.o *.d ../*.d ../shared/*d ../shared/*/*.d ini/main.ini 
  
+install: 
+        @# Unsupported, nothing to do. Just run from this directory. 
+ 
 # Include automatically generated dependency files 
 -include $(wildcard *.d ../*.d ../shared/*d ../shared/*/*.d) 

**********************************************************************************************************************/

Next, you can download the additional source-code release and merge 
its updated files (including Tracecap source) into your TEMU tree: 

cd .. 
wget http://bitblaze.cs.berkeley.edu/release/additional/bitblaze-additional-2010-06.tar.gz 
tar xvzf bitblaze-additional-2010-06.tar.gz 
mv bitblaze bitblaze-additional-2010-06 
cd temu-1.0 
rsync -rav ../bitblaze-additional-2010-06/temu/ . 

Tracecap further depends on two open-source libraries, Sleuthkit and 
llconf. For Sleuthkit, we download version 2.04 and apply a patch that 
comes with the additional source-code release. We also need to fix two 
more build problems that post-date that release, namely that Sleuthkit 
doesn't know that Linux 3.x is compatible with Linux 2.x, and a name 
conflict related to its endian.h header, which are handled by another 
attached patch: 

cd shared 
mv sleuthkit/sleuthkit-2.04.patch . 
rmdir sleuthkit 
# Download sleuthkit-2.04.tar.gz from 
# http://sourceforge.net/projects/sleuthkit/files/sleuthkit/2.04/ 
tar xvzf sleuthkit-2.04.tar.gz 
cd sleuthkit-2.04 
patch -p1 <../sleuthkit-2.04.patch 
patch -p0 <../../../sleuthkit-linux3.patch 

make 

/*********************************************************************************************

執行make後可能出現的錯誤：

afflib_i.h:60:26: fatal error: openssl/rand.h: No such file or directory
compilation terminated.
make: *** [aff_db.o] Error 1
make: *** [no-perl] Error 2

解決方法：

sudo apt-get install libssl-dev

***************************************************************************************************/

cd .. 

ln -s sleuthkit-2.04 sleuthkit 

Then llconf is a little bit easier, but you need to add the -fPIC 
option to enable linking it into Tracecap's shared library on 64-bit: 

wget http://llconf.googlecode.com/files/llconf-0.4.6.tar.gz 
tar xvzf llconf-0.4.6.tar.gz 
cd llconf-0.4.6 
CFLAGS="-fPIC" ./configure --prefix=$(pwd)/install 
make 
make install 
cd .. 
ln -s llconf-0.4.6 llconf 
cd .. 

Then you can reconfigure TEMU and compile with Tracecap as the plugin: 

./configure --target-list=i386-softmmu --proj-name=tracecap --prefix=$(pwd)/install --disable-gcc-check 
make clean 
make 

使用（生成.trace文件的步驟）

（1）./tracecap/temu -monitor stdio /home/zqc/WM_OS/windows.img  //啓動temu,載guest os
（2）load_plugin tracecap/tracecap.so   //加載tracecap插件
（3）enable_emulation  //允許模擬或者仿真
（4）guest_ps          //列出當前xp系統下的進程信息（如PID）
（5）trace PID "/home/zqc/foo.trace" //以PID的形式trace程(foo.exe)，後面跟trace結果存放路徑和文件
（6）taint_sendkey 5 1001      //給guest os中的進程發送出入變量5
（7）taint_sendkey ret 1001    //給guest os中的進程發送回車鍵
（8）trace_stop             //結束trace
（9）unload_plugin          //卸載插件

參考資料：
http://bitblaze.cs.berkeley.edu/release/temu-1.0/howto.html
https://groups.google.com/forum/#!topic/bitblaze-users/QdoY9l8D-ho